Search code examples
azureazure-resource-managerazure-keyvaultazure-rm-template

Get the latest version of a certificate from an Azure key vault in an ARM template

Creating an ARM template that needs to install an SSL certificate that is located inside of an Azure key vault. If I specify the certificate with the thumbprint, it works fine:

https://contoso.vault.azure.net/secrets/web01-test-contoso-com/968bf207451149d3aceb390065af9d3a

But as a certificate is on a ticking clock, this hard-codes a dependency that can go stale into the ARM template. I would rather just specify the latest version (like it shows in the portal). However, I haven't found any documentation that shows how to do that or even mentions if it is possible.

I ran a couple of experiments using:

https://contoso.vault.azure.net/secrets/web01-test-contoso-com

and

https://contoso.vault.azure.net/secrets/web01-test-contoso-com/latest

But in both cases, I got the same error message:

message '{
   "error": {
     "code": "InvalidParameter",
     "message": "https://contoso.vault.azure.net/secrets/web01-test-contoso-com/latest is 
 not a valid versioned Key Vault Secret URL. It should be in the format 
 https://<vaultEndpoint>/secrets/<secretName>/<secretVersion>.",
     "target": "certificateUrl"
   }
}'

So my question is: How can I reference the certificate in a way that I get the latest version?

For clarity, I am using the URL in the secrets section of the ARM template for a VM as follows, which gets the certificate from the Azure key vault and installs it into the Windows certificate store.

"secrets": [
    {
      "sourceVault": {
        "id": "[resourceId(parameters('keyVaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
      },
      "vaultCertificates": [
        {
          "certificateUrl": "https://contoso.vault.azure.net/secrets/web01-test-contoso-com/latest",
          "certificateStore": "My"
        }
      ]
    }
]

NOTE: I would find it odd that you can specify the latest version of an OS to install, but you cannot specify to install the latest version of a certificate.

Solution

  • It is possible, contrary to what accepted answer says . Define variable with secret's resource id like this, for example:

    "mySecretResourceId": "[concat(resourceGroup().id,'/providers/Microsoft.KeyVault/vaults/', variables('keyVaultName'), '/secrets/', 'my-secret-name')]"

    then you can use it in your template as following:

    "certificateUrl": "[reference(variables('mySecretResourceId'), '2018-02-14').secretUriWithVersion]"